In this post I will cover how I use actionable notifications within Home Assistant. Using push notifications with the Home Assistant iOS App you can setup some really cool triggers within the system.

Below is a list of the technology used at the time of writing:

• Home Assistant - Version 2024.1.4
• Apple iPhone 13 Pro and iPhone 15 Pro
• Apple iOS 17.3

I have two actionable notifications that get used most often:

1. At 6AM I receive a push notification that asks if I am working from home today.

   • Yes and No options are presented
   • If I answer Yes, it will turn on the AC in my office and set the proper temperature based on the temperature outside.

2. On days when my wife and I go into our “real” offices we will receive a notification when we leave in the evening and the house is set to away. This notification asks if you are headed home.

   • Yes and No options are presented
   • If Yes is selected, it will set the air conditioner to the home setting to cool/heat the house in advance.

We will use my “Are you working from home today?” notification as the example[^1].

Step One:

I have an automation configured to send me a message asking if I am working from home on weekdays at 6AM if the house is in sleep mode:

- alias: Ask if Dan is working from home in the morning - Weekday
  condition:
    condition: and
    conditions:
      - condition: state
        entity_id: input_select.home_state
        state: sleep
      - condition: time
        weekday:
          - mon
          - tue
          - wed
          - thu
          - fri
  trigger:
    platform: time
    at: '06:00:00'
  action:
    service: notify.mobile_app_daniels_iphone
    data:
      message: "Are you working from home today?"
      data:
        actions:
          - action: ‘WORKING_FROM_HOME_YES’
            title: ‘Yes’
            destructive: true
          - identifier: ‘WORKING_FROM_HOME_NO’
            title: ‘No’

Step Two:

This is where the rubber meets the road!

In this case the No option does nothing. The notification will close on the phone and that is all. But, ‘Yes’ will trigger an automation in Home Assistant.

Here is the automation that is triggered when Yes is selected:

- alias: iOS Action - Working From Home Yes
  trigger:
    platform: event
    event_type: mobile_app_notification_action
    event_data:
      action: WORKING_FROM_HOME_YES
  action:
    - service: input_select.select_option
      data:
        entity_id: input_select.office_ac_power
        option: 'on'
    - service: input_select.select_option
      data_template:
        entity_id: input_select.office_ac_mode
        option: >
          {% if (states("sensor.dark_sky_temperature") | int) < 65 %}
          heat
          {% else %}
          cool
          {% endif %}
    - service: input_number.set_value
      data:
        entity_id: input_number.office_ac_temperature
        value: 72

Under the trigger event_data you will see that the action corresponds to the action used in Step One. When Yes was selected it kicked off the automation to turn on the AC in my office and set the mode based on the outside temperature. It has worked great!

IMPORTANT NOTES!

Interacting with Push Notifications:

When you receive a notification on you iPhone, do not just tap on it! This will open the Home Assistant app and not present your options!

You can, however, tap notifications on your Apple Watch. See explanations below:

On iPhone:

• While phone is locked:

  • Your received notification will look like this:

    

  • Long press the notification to bring up the selection options

  • You will then be presented with your options:

    

• While phone is unlocked:

  • Your received notification will look like this:

    

  • Swipe down on the notification and you will be presented with your options:

    

On Apple Watch:

• Your received notification will look like this:

  

• Tap the notification to receive your options:

  

Summary

This is covered often in the Home Assistant Community and I just wanted to get my configuration out in hopes that others will find it useful. If you have any questions feel free to leave a comment.

Thanks for reading!

Googling brought littel feedback. Then I got deep into some searches and ran across this Reddit article. Since Reddit always tries to force you to use the app when on mobile and doesn’t let you completely read a post before blocking you out I wanted to post my steps here for future reference. This should be better outlined in the Apple troubleshooting steps as it did fix things right up! But, I am lucky to have a Mac to perform these steps. If you are without a Mac I am not sure what the fix action would be.

Step One - Plug the HomePod Mini Into Mac

I have an M1 MacBook Air and was able to plug the HomePod directly into a USB C port. After the light on the HomePod turned orange I checked finder and say the HomePod connected. Once I clicked ont he device I confirmed that the device had the version 14 OS whereas the rest of the house was on 15.

Step Two - Restore and Update

I then pressed the “Restore HomePod” button and kicekd of the Restore and Update process. I acknowledge the popup to confirm the factory restore and update process:

It then let me know that the HomePod Mini would be updated to OS 15.1. Great! Click Next!

Step Three - Update Completion and Reboot

After clicking next your Mac will download the new OS version and begin flashing the HomePod and restoring factory settings:

After the process is complete you will receive the following popup:

After acknowledging the popup you will see the same screen as at the beginning with the updated OS showing:

Summary

That is all! Just eject the HomePod from your system and go through the typical setup process. It worked like a charm for me.

If you happen upon how to perform this is you do not have a Mac I would love to know. Please comment below and I will update the post.

Sensor for TeslaFi API

This REST sensor will poll the TeslaFi API and expose all JSON items as attributes in Home Assistant:

# TeslaFi

- platform: rest
  name: TeslaFi Report
  resource: "https://www.teslafi.com/feed.php"
  scan_interval: 60
  params:
    token: YOUR TESLAFI API TOKEN HERE
    command: lastGood
  value_template: "{{ value_json.display_name }}"
  json_attributes:
    - api_version
    - autopark_state
    - autopark_state_v2
    - autopark_style
    - battery_current
    - battery_heater
    - battery_heater_on
    - battery_level
    - battery_range
    - calendar_enabled
    - calendar_supported
    - car_type
    - car_version
    - carState
    - center_display_state
    - charge_current_request
    - charge_current_request_max
    - charge_enable_request
    - charge_energy_added
    - charge_limit_soc
    - charge_limit_soc_max
    - charge_limit_soc_min
    - charge_limit_soc_std
    - charge_miles_added_ideal
    - charge_miles_added_rated
    - charge_port_cold_weather_mode
    - charge_port_door_open
    - charge_port_latch
    - charge_port_led_color
    - charge_rate
    - charge_to_max_range
    - chargeNumber
    - charger_actual_current
    - charger_phases
    - charger_pilot_current
    - charger_power
    - charger_voltage
    - charging_state
    - climate_keeper_mode
    - color
    - conn_charge_cable
    - currency
    - data_id
    - Date
    - defrost_mode
    - df
    - display_name
    - dr
    - driveNumber
    - driver_temp_setting
    - driver_temp_settingF
    - elevation
    - est_battery_range
    - eu_vehicle
    - exterior_color
    - fan_status
    - fast_charger_brand
    - fast_charger_present
    - fast_charger_type
    - fd_window
    - fp_window
    - ft
    - gps_as_of
    - gui_24_hour_time
    - gui_charge_rate_units
    - gui_distance_units
    - gui_range_display
    - gui_temperature_units
    - heading
    - homelink_nearby
    - id
    - id_s
    - ideal_battery_range
    - idleNumber
    - idleTime
    - in_service
    - inside_temp
    - inside_tempF
    - is_auto_conditioning_on
    - is_climate_on
    - is_front_defroster_on
    - is_preconditioning
    - is_rear_defroster_on
    - is_user_present
    - last_autopark_error
    - latitude
    - left_temp_direction
    - location
    - locked
    - longitude
    - managed_charging_active
    - managed_charging_start_time
    - managed_charging_user_canceled
    - max_avail_temp
    - max_range_charge_counter
    - maxRange
    - measure
    - min_avail_temp
    - motorized_charge_port
    - newVersion
    - newVersionStatus
    - not_enough_power_to_heat
    - Notes
    - notifications_enabled
    - notifications_supported
    - odometer
    - odometerF
    - option_codes
    - outside_temp
    - outside_tempF
    - parsed_calendar_supported
    - passenger_temp_setting
    - perf_config
    - pf
    - polling
    - power
    - pr
    - rangeDisplay
    - rd_window
    - rear_seat_heaters
    - remote_start
    - remote_start_enabled
    - remote_start_supported
    - rhd
    - right_temp_direction
    - roof_color
    - rp_window
    - rt
    - scheduled_charging_pending
    - scheduled_charging_start_time
    - seat_heater_left
    - seat_heater_rear_center
    - seat_heater_rear_left
    - seat_heater_rear_left_back
    - seat_heater_rear_right
    - seat_heater_rear_right_back
    - seat_heater_right
    - seat_type
    - sentry_mode
    - shift_state
    - side_mirror_heaters
    - sleepNumber
    - smart_preconditioning
    - speed
    - spoiler_type
    - state
    - steering_wheel_heater
    - sun_roof_installed
    - sun_roof_percent_open
    - sun_roof_state
    - temperature
    - third_row_seats
    - time_to_full_charge
    - timestamp
    - trip_charging
    - usable_battery_level
    - user_charge_enable_request
    - valet_mode
    - valet_pin_needed
    - vehicle_id
    - vehicle_name
    - vin
    - wheel_type
    - wiper_blade_heater

Template Sensors

I then created a few template sensors to expose data I would use later on or wanted to see/track more quickly.

- binary_sensor:
    - unique_id: teslafi_terry_hvac_status
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' HVAC Status' }}"
      state: "{{ state_attr('sensor.teslafi_report', 'is_climate_on') }}"
- sensor:
    - unique_id: teslafi_terry_date
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' Last Reading' }}"
      state: "{{ as_datetime(state_attr('sensor.teslafi_report', 'Date')).isoformat() }}"
      device_class: timestamp
    - unique_id: teslafi_terry_odometer
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' Odometer' }}"
      state: "{{ state_attr('sensor.teslafi_report', 'odometer') | round(1) }}"
      unit_of_measurement: "mi"
      icon: mdi:counter
    - unique_id: teslafi_terry_battery
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' Battery' }}"
      state: "{{ state_attr('sensor.teslafi_report', 'battery_level') | int }}"
      unit_of_measurement: "%"
      icon: mdi:battery-80
    - unique_id: teslafi_terry_range
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' Battery Range' }}"
      state: "{{ state_attr('sensor.teslafi_report', 'battery_range') | float }}"
      unit_of_measurement: "mi"
      icon: mdi:gauge
    - unique_id: teslafi_terry_car_state
      name: "{{ state_attr('sensor.teslafi_report', 'vehicle_name') + ' Car State' }}"
      state: "{{ state_attr('sensor.teslafi_report', 'carState') }}"

Switches

I then created two switches to control the HVAC status of Terry the Tesla:

# TeslaFi Switches
- platform: command_line
  switches:
    teslafi_terry_climate_cli:
      command_on: '/usr/bin/curl -X GET "https://www.teslafi.com/feed.php?token=YOUR API TOKEN HERE&command=auto_conditioning_start&wake=40"'
      command_off: '/usr/bin/curl -X GET "https://www.teslafi.com/feed.php?token=YOUR API TOKEN HERE&command=auto_conditioning_stop"'
      friendly_name: Terry HVAC Command Line

- platform: template
  switches:
    teslafi_terry_climate:
      friendly_name: Terry HVAC
      value_template: "{{ is_state('binary_sensor.template_teslafi_terry_hvac_status', 'on') }}"
      turn_on:
        service: switch.turn_on
        target:
          entity_id: switch.teslafi_terry_climate_cli
      turn_off:
        service: switch.turn_off
        target:
          entity_id: switch.teslafi_terry_climate_cli

I hope this helps someone! If you have any questions please ask in the comments.

First, I have to give some credit to all of the sites that helped me along the way:

• https://wiki.archlinux.org/index.php/WireGuard
• https://securityespresso.org/tutorials/2019/03/22/vpn-server-using-wireguard-on-ubuntu/
• https://emanuelduss.ch/2018/09/wireguard-vpn-road-warrior-setup/
• https://restoreprivacy.com/wireguard/
• https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
• https://github.com/pirate/wireguard-docs

Without these write ups I would have had a much longer journey.

In this post I will not be going into any theory. This is just a run down of my setup and mostly notes to myself before I forget everything!

I am running this on a NUC that I use for HASS.IO. It has a lot of horsepower and is already in my DMZ so I thought, why not. This NUC is running Ubuntu 18.04 and was up to date when I started. After making sure my box was up to date I performed the following steps:

sudo -s
add-apt-repository ppa:wireguard/wireguard
apt install qrencode
apt install wireguard
modprobe wireguard
lsmod | grep wireguard # This lets you know that the wireguard module is good to go.

cat << EOF >> /etc/sysctl.conf  # These lines add forwarding capability to your server
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOF

sysctl -p

This should get the system ready to go. Now set the wireguard ser to start at bootup:

systemctl enable wg-quick@wg0

Now we move on to configuring the server.

Run the following commands to lay the groundwork:

cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

Next use you favorite text editor to create the wg0.conf file. Here is an example of mine:

[Interface]
Address = 172.24.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -i eno1.11 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -i eno1.11 -j ACCEPT
ListenPort = 51820
PrivateKey = < use privatekey generated in previous step >

You will need to adjust the interface in the iptables statement to reflect your interface name. I used eno1.11 on my server.

I have been asked about locking down the server some more using iptables. It is definitely possible! Here is a good example post. I have my server behind pfSense which helps me keep it locked down and that is why I used the iptables config above.

In this setup you will not perform any NAT. You will ahve to ensure routing is setup properly in your environment since this will route your VPN user IPs straight through. I use pfSense and have static routing setup to allow the proper flow of traffic. It also helps me lock down access.

Now you can run wg-quick up wg0 to bring up your wireguard interface. Too easy!

Now to configure a client. I use the wireguard app on my iPad and iPhone, so I will go through an example of how I configure a client for that.

First, I create a directory for my device. This is not required, I do it for my own sanity. Since we are still in /etc/wireguard i run mkdir dan_iphone then switch into that directory. Next things look familiar:

cd dan_iphone/
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

Now I create a file named dan_iphone.conf. See example below:

[Interface]
Address = 172.24.1.2/24
PrivateKey = < use privatekey generated in previous step >

[Peer]
Endpoint = < Your server name or IP >:51820
PublicKey = < Your server's public key >
AllowedIPs = 172.24.1.1/32, 192.168.0.0/24
PersistentKeepalive = 25

For allowed IPs use whatever you need for access to your network or 0.0.0.0/0 for a full tunnel experience.

You will need to run the following command on the server to add this peer:

wg set wg0 peer < peer public key > allowed-ips 172.24.1.2/32

Now generate a QR code to configure the Wireguard App on your iPhone:

qrencode -t ansiutf8 < dan_iphone.conf

You can also output this to a file if you need to ship it off for some reason:

qrencode -t ansiutf8 -o dan_iphone.jpg < dan_iphone.conf

Once your phone is configured you will be good to go!

To delete a peer do the following (while the wg0 interface is up):

wg set wg0 peer <peer_pubkey> remove

I also added the piece pointed out in the Archlinux Wireguard Page to deal with changing IPs. Since I am using this on phones and mobile hotspots, this could be an issue.

Here are the two files I created:

/etc/systemd/system/wireguard_reresolve-dns.timer

[Unit]
Description=Periodically reresolve DNS of all WireGuard endpoints

[Timer]
OnCalendar=*:*:0/30

[Install]
WantedBy=timers.target

/etc/systemd/system/wireguard_reresolve-dns.service

[Unit]
Description=Reresolve DNS of all WireGuard endpoints
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/doc/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh "$i"; done'

Then you setup the timer service to run:

systemctl enable --now wireguard_reresolve-dns.timer

Now you should be good to go! If you have any questions leave a comment. Thanks for reading!

As a life long technology practitioner I am often asked what training I did to gain my PMP in 2017. While I “only studied for 3 weeks” before taking the exam, I had a lot of experience that really made that possible. I thought I would write all of my notes here so I have an easy point of reference and maybe it will help someone on their journey.

First, I have been participating in and directing projects for almost 20 years. And more than just technology projects! I have worked on construction projects, research and development projects, automotive projects, all sorts of things. Although I had no “formal” project management education during a majority of that time, a lot of the methods are natural and you just have to learn the language and official name for the thing you are already doing.

I am also a “nontraditional” university student. I went back to the University of Southern Mississippi and finished my BS in Applied Technology back in 2016. During my undergraduate coursework I had a 400 level class on project management that was based on the PMBOK. Then I started my graduate work at Louisiana Tech in Engineering and Technology Management. During my coursework there I have a 500 level class in project management which required a research piece on the entire Project lifecycle for a sample construction project. This added to my recent formal project management education.

Once I got serious about getting my PMP I went through quite a few study materials before I found two that worked very well for me:

• The PM Prepcast
• PMTraining PMP Practice Exams

The way I approached this was that I first listen to the intro episode for every area of the PMBOK in the PM Prepcast. Then I started taking practice exams. The PMTraining material has a great method of guiding you through varying levels of questions and showing you where you need to focus. I took this feedback and dove into more focused areas of the Prepcast. Boom, 3 solid weeks of this and I passed first shot.

Hope this helps and thanks for reading. If you have any questions comment below.

When it comes to picking out a pork shoulder, I am not too picky. I just want something that is 8 to 9 lbs and has a good chunk of fat on the top.

Once I have my pork shoulder I make up a brine consisting of the following ingredients. I mix the dry part separately first and save about half to rub on the shoulder after brining. I put the rest of the mixture in the apple cider vinegar:

I put this in a container that will hold the brine and cover the entire pork shoulder. Adjust as needed for your container. I brine the pork shoulder for 12+ hours in the fridge. BOOM!

I have a Daniel Boone from Green Mountain Grills. For this pork shoulder I use Black Cherry Pellets that I get on Amazon. I heat the smoker to 250 and let it sit for 30 minutes or so to even out.

While the grill is warming I remove the shoulder from the brine. I put it on a tray and start patting it down with the remainder of the dry mix. Once I have it coated it is ready for the smoker. I place it toward the firebox in the smoker and insert my temperature probe from the GMG into a thick part of the shoulder. Preferably somewhere away from the bone. Sometimes I place a little bowl of the brine inside the smoker to raise the humidity a bit. Dealers choice…

Now we wait…

I set the temp on the smoker to alert when the shoulder reaches 165 degrees internal temp. I also use my instant thermometer to check different spots on the shoulder as needed. Once the shoulder hits 165 I remove and wrap in foil. I know that wrapping is a long discussion, but I do it for my pork shoulder. I like it and it makes me happy. I then place it back in the smoker until it hits 190 degrees internal temp, again checking with the thermometer to verify in other spots.

And we are done. This has worked well for me every time I have smoked a shoulder and I have yet to receive any complaints from the family. I hope it helps you in developing your own recipe!

Thanks for reading!

Here are a few pictures for good measure.

Brine:

After Brine

Start:

Finish:

Shredded:

First, this site from yasoob does a great job running down how to get this setup in Github and on Heroku. I will just add af ew changes I made based on the content of Issue #299.

As pointed out in yasoob’s post, and in a ton of issues on the repo, there are a few things amiss with the master branch. And some of the fixes mentioned in the post did not work for me, but here is what did…

As pointed out by the trusty VincentTam in his comment on Issue #299 he points out that in his deploy release he is uing 55d1430. So, that is what I used as well. And after some testing everything seems to work fine. I am using v3 on both of my sites and the Mailgun integration and all is working as expected. I have not tested GitLab integration as I do not have a GitLab setup, but I may give it a shot in the future.

So, here is the quick and dirty on how I did it:

1. Fork the Staticman Repo
2. Create a Heroku app as mentioned above
3. Run git checkout -b workaround 55d1430 to create a branch named workaround from the commit mentioned above.
4. Push that branch to Heroku using git push -f heroku workaround:master. I add the -f because I felt like living dangerously

If you configured all of your environment variables properly you should be good to go! I am running this instance on both NetworkHobo and Dan C Williams using the v3 API without issue.

I know this is quick, but I needed to get it out of my head. Please comment below if there are any questions. Thanks!

I do enjoy baking a pound cake form time to time and here is my favorite recipe. It is very basic, but gets the job done!

• 2 cups of flour
• 2 cups of sugar
• 2 sticks of butter
• 2 teaspoons of vanilla
• 6 eggs

Boom! Too easy, right? The secret is to mix this…FOREVER. When you put this in the mixer for 5 minutes or so it will be yellow. Just keep mixing until the batter turns white. Another way to check is by doing a taste test and seeing if the sugar is still gritty in the batter. If there is still grit…don’t quit!. When it is smooth that is when it is ready. Move that batter to a greased up Bundt pan and bake at 325F for 1 hour.

Sometimes I even make a mixed berry sauce if I’m feeling fancy…

Thanks for reading and I hope you enjoy!

We all know the patron Saint of spreading your message to the world:

But, lets be cognizant of our surroundings. Everyone wants to hear your announcement. But, maybe, they do not want to be a part of the overall discussion. More often these days folks are copying God and country on every e-mail that goes out. Most of these e-mails are announcements that require little to no feedback. Even though that is the case there is always someone who hits that beloved reply all button to give a quick and polite Thanks or Gotcha.

You have now created a storm…

After a coupla helpful Thank Yous someone is going to pipe up with a Please remove me from this list. Now it is all downhill. If you are old school and have on-site exchange you are now getting a drive-by asking why you are killing the queues. If you are using O365 the NOC is getting notified of direct connect traffic spike dues to a rouge e-mail and some improper routing in the core (trust me). Routing, you would think we would be over that stuff by now. But we aren’t.

(If you are using Google for the business e-mails…I am not sure who would be yelling at you. I am sure there is someone. Don’t feel left out.)

Invoke the power of BCC!

Unless you just want feedback from everyone please, please, use BCC. For those who are not read in, this is the Blind Carbon Copy. It gets the message to all of the people you want to get it to, but if someone does a reply all, no one else gets the reply. No storm…no craziness…no hate. If you receive a reply that you feel the entire grou should know about, send it to everyone, and BCC them. Too easy. Another thing I do is actually send that e-mail to myself with everyone BCC’d. That way all replies come right back to me. If there is a reply it is my burden to shoulder. I started this mess anyhow…

Summary

I know you are tired of e-mail stuff. But, I have a lot of folks to teach. I NEED AN OUTLET

Thanks for reading. Comments are awesome. Thanks.

Even with all the super cool collaboration tools that are available today, a lot of management types still rely on the old faithful Outlook Calendar. They ask that you send out an invite for your vacation so that all the key stakeholders are aware of the time you will be out of the office. I will admit, I still do this today and I encourage my staff to do the same. It was beat into me at GE and I just cannot break the habit.

But let us be thoughtful of other’s calendars…

When sending an invite out to your team, be cognizant of what that invite will look like on their calendar. If you send out an invite marked as Out of Office and they accept, it will show them as out of office as well. This is not good since they will likely still need to attend meetings and have an open calendar while you are on leave. Let’s make sure we do not block them out.

Send it free and clear…

When you send out the big group invite for your vacation, mark it as free time.

Also, do not ask for a response.

Now that the invite has gone out announcing that you will be on vacation and it is shown as free time on everyone’s calendars, you are a meeting invite hero! But, you have to show that you are in fact Out of Office on your individual calendar. Too easy…just set an appointment for yourself showing Out of Office. Now you are covered.

Summary

It may feel like a little double work, but at the end of the day it really makes you look like you are a considerate team member. It will go a long way with helping the entire team communicate better.

I am always looking for other ideas. I would love to hear how you handle this on your teams. Thanks for reading!

I just spent the last day putting together some Drafts actions and iOS Shortcuts. This is just a short test to see if the process works. Then I will document it all.

Image test:

This will be short. Months ago someone recommended the Drafts app to me so I installed it. They had told me how awesome it would be and how helpful it would be with my growing use of OmniFocus. Well, not so much…until now!

I recently picked up an iPad Pro for work and have been using it a ton. I was watching some random YouTube videos on various tools for the iPad and stumbled upon a video playlist around Drafts 5. Now I understand. The blank white display and minimal interface hid so much power from being clearly evident. Also, I was really busy so I did not spend much time poking and prodding. Now I have added some new actions, learned how to quickly create blog posts from templates that automatically fill out front matter, all that jazz. I am a sucker for templating!

I had been writing with IAWriter, which I will still be using, but I can see the power of Drafts for really getting to work quickly.

Ok, off to dinner with the family. It is Monday night, gotta get some of those red beans.

Thanks for reading!

I often find myself receiving forwarded e-mails with little to no context or prior conversation. This baffles me. How could someone feel ok forwarding me an e-mail chain of twenty or so messages and the only notes from the sender is their automated signature block?

I immediately trash these…

Then comes the inevitable drive-by, “Hey, did you get that e-mail I forwarded you?” Nope, never received it. If someone needs an explanation to make them feel better I will say something like I may have seen it, but at a glance it looked like it was an accidental forward and I canned it.

”Oops…what was it about anyway?

Note: Do not make the mistake above…

We have all done it. If you say you haven’t you are only kidding yourself. That is fine to do, as long as deep inside you are aware of it.

You have read this e-mail chain, you know the reason you feel it needs to be passed on, take the initiative and put a quick summary at the top. Hit them up on the chat app of the day, or, and this is crazy, pick up the phone and talk to the person you are forwarding it to. Hell, call them, forward the e-mail, and then discuss the content you find interesting.

SO MANY OPTIONS!!!

Never blind forward an e-mail and expect people to care about the contents as much as you do…

You are wasting their time. It is that simple. Know your audience and respect their time as if it were your own. Why force someone else to dig through an entire string of poorly edited text just because you found a bit of info you found interesting. Sum it up. Heck, call it an executive summary if you want to sound fancy and your boss is one of the receiving parties. Folks LOVE the feeling of receiving an executive summary.

It is not just for them, it is for you too…

When you summarize your thoughts it gives you a moment to analyze what you are thinking and be sure everything is clear. It helps you gather your thoughts. Because, if the e-mail content is as forwardworthy (TM) as you think it is, someone is eventually going to ask you to sum it up verbally in a meeting or huddle or scrum-whatever-the-folks-are-doing-these-days. Now when asked to do this, usually on the spot, you already have your thoughts together. Too Easy!

Summary

Ok, I am about to land so I need to wrap this up. I have a many more thoughts on e-mail etiquette in a professional working environment, so I hope you don’t get too bored!

Thanks for reading…

In this post I will cover how I use actionable notifications within Home Assistant. Using push notifications with the Home Assistant iOS App you can setup some really cool triggers within the system.

Below is a list of the technology used at the time of writing:

• Home Assistant - Version 0.60.1
• Apple iPhone X and iPhone 7
• Apple iOS 11.2.2

I have two actionable notifications that get used most often:

1. At 6AM I receive a push notification that asks if I am working from home today.

   • Yes and No options are presented
   • If I answer Yes, it will turn on the AC in my office and set the proper temperature based on the temperature outside.

2. On days when my wife and I go into our “real” offices we will receive a notification when we leave in the evening and the house is set to away. This notification asks if you are headed home.

   • Yes and No options are presented
   • If Yes is selected, it will set the air conditioner to the home setting to cool/heat the house in advance.

We will use my “Are you working from home today?” notification as the example¹.

Step One:

I have an automation configured to send me a message asking if I am working from home on weekdays at 6AM if the house is in sleep mode:

- alias: Ask if Dan is working from home in the morning - Weekday
  id: ask_if_dan_is_working_from_home_in_morning_weekday
  condition:
    condition: and
    conditions:
      - condition: state
        entity_id: input_select.home_state
        state: sleep
      - condition: time
        weekday:
          - mon
          - tue
          - wed
          - thu
          - fri
  trigger:
    platform: time
    at: '06:00:00'
  action:
    service: notify.ios_dan_iphone
    data:
      message: "Are you working from home today?"
      data:
        push:
          category: "working_from_home"

The thing to key on here is the push category used in the action. This will be used later…

Step Two:

Now we need to configure the iOS push category that corresponds with the category used in the automation.

I keep my push categories in a separate file named ios_push_categories.yaml. Here is the excerpt from my configuration.yaml:

ios:
  push:
    categories: !include ios_push_categories.yaml

And here is the appropriate section fomr ios_push_categories.yaml:

NOTE: The identifier must be lower-case!

- name: Working From Home
  identifier: 'working_from_home'
  actions:
    - identifier: 'WORKING_FROM_HOME_YES'
      title: 'Yes'
      activationMode: 'background'
      authenticationRequired: no
      destructive: yes
    - identifier: 'WORKING_FROM_HOME_NO'
      title: 'No'
      activationMode: 'background'
      authenticationRequired: no
      destructive: no

This will provide the options that are presented with the notification and tie those options with an identifier. This will be used later…

Step Three:

This is where the rubber meets the road!

In this case the No option does nothing. The notification will close on the phone and that is all. But, ‘Yes’ will trigger an automation in Home Assistant.

Here is the automation that is triggered when Yes is selected:

- alias: iOS Action - Working From Home Yes
  id: ios_action_working_from_home_yes
  trigger:
    platform: event
    event_type: ios.notification_action_fired
    event_data:
      actionName: WORKING_FROM_HOME_YES
  action:
    - service: input_select.select_option
      data:
        entity_id: input_select.office_ac_power
        option: 'on'
    - service: input_select.select_option
      data_template:
        entity_id: input_select.office_ac_mode
        option: >
          {% if (states("sensor.dark_sky_temperature") | int) < 65 %}
          heat
          {% else %}
          cool
          {% endif %}
    - service: input_number.set_value
      data:
        entity_id: input_number.office_ac_temperature
        value: 72

Under the trigger event_data you will see that the actionName corresponds to the identifier used in Step Two. When Yes was selected it kicked off the automation to turn on the AC in my office and set the mode based on the outside temperature. It has worked great!

IMPORTANT NOTES!

Creating and Updating iOS Push Notifications:

Each time you create or update an iOS push notification within home assistant you must update oush settings within the iOS app.

To do this go into the settings (gear icon) within the iOS app and navigate to Notification Settings > Update push notifications.

Interacting with Push Notifications:

When you receive a notification on you iPhone, do not just tap on it! This will open the Home Assistant app and not present your options!

You can, however, tap notifications on your Apple Watch. See explanations below:

On iPhone:

• While phone is locked:

  • Your received notification will look like this:

    

  • Swipe left on the notification and tap “View”:

    

  • You will then be presented with your options:

    

• While phone is unlocked:

  • Your received notification will look like this:

    

  • Swipe down on the notification and you will be presented with your options:

    

On Apple Watch:

• Your received notification will look like this:

  

• Tap the notification to receive your options:

  

Summary

This is covered often in the Home Assistant Community and I just wanted to get my configuration out in hopes that others will find it useful. If you have any questions feel free to leave a comment.

Thanks for reading!

I like to automatically log all sessions that I open, just so I have a record of all my keystrokes. It also helps when doing discovery operations so that I do not have to repeat logins to collect information that I may not have felt was important previously.

This post will lay out how to setup aut logging for all sessions globally. This is also geared toward Windows, but the same logic can be used on any platform. Only the folder structures will change.

I am using SecureCRT Version 7.3.7 (build 1034).

Open SecureCRT > Options > Global Options > General > ****Default Session > Select the Edit Default Settings button:

Log File Name: C:\Users\{{ YOUR USERNAME }}\{{ YOUR FOLDER LOCATION }}\%Y\%Y-%M\%Y-%M-%D\%S (%H) -- %Y-%M-%D_%h-%m.txt

Upon Connect: Start recording %S (%H) - %Y/%M/%D %h:%m:%s

Upon Disconnect: Stop recording %S (%H) - %Y/%M/%D %h:%m:%s

On each line: %h:%m:%s.%s §

The NUC I purchased had 4GB RAM, 64GB SSD, and wireless. Before I began loading anyhting I wanted to make sure the NUC was updated with the latest and greatest BIOS version since I had heard of issues with previous versions.

When I logged into the machine I found it was running version 42. The Intel site showed that the latest version for this platform is 62. So, I followed the instructions to perform a Power Button Menu Update. This method looked to be very straightforward, but then I hit an issue.

When I selected F7 to load the new BIOS from the USB stick I went through the image selection and hit ENTER to install, the screen went black, then the power button flashed twice and the NUC rebooted. I hit F2 to bring up the BIOS menu and noticed it was still running version 42. No change…

I reloaded the USB, tried other methods, everything! But, the same outcome occured each time.

I started researching and finally found some random forum entry somewhere (no link) that mentioned to check the RAM speed. I check the RAM that was installed in the NUC and it was 2 x 2GB 1066MHz sticks. Then I started digging up the version 62 release notes.

There it was, 1066 MHz RAM was not supported by BIOS version 62:

Note: The memory reference code in BIOS version 0046 was updated as a part of the changes made in the BIOS to meet Microsoft Windows 8.1 requirements. This new memory code no longer supports 1066 MHz memory modules.

So, I went to the shop and found an old 4GB 1600MHz stick that I had and swapped out the RAM in the NUC. I tried the Power Button Menu method again and it worked without issue! Now I am up and running on the latest BIOS.

Hope this helps someone else that may run into this odd issue when the NUC provides very little feedback.

In this post I want to cover the steps I went through to get Staticman nested comments and e-mail notifications working in Hugo.

Disclaimer: I am new to Hugo, Go Templating, JavaScript, and all the bits and pieces used in this write-up. I am sure there are more efficient methods to achieve these results. Please provide any feedback in the comments or feel free to issue a pull request. Thanks!

Below is a list of the technology I use for this blog:

• Hugo - Version 0.31.1
• Beautiful Hugo Theme
• Staticman
• Netlify
• Network Hobo GitHub Repo

I do not go through all of the steps for basic Staticman setup and API registration. This is covered in the great Staticman Documentation.

In the beginning…

After years of hosting this blog on Wordpress I decided I wanted to make a move to a more flexible option. I started looking at static site generation and all of the various options. I finally decided to take a crack at Hugo.

I went in search of a clean template for my new Hugo site. After much searching I decided to go with Beautiful Hugo. At the time, I started using Beautiful Hugo it only supported Disqus for commenting. I knew I wanted to take this opportunity to gain control of all of my data, so I started adapting the Beautiful Hugo theme to use Staticman for commenting.

• Note: As of November 21, 2017, the Beautiful Hugo theme now natively supports Staticman comments (PR#99). This is basic commenting without replies or e-mail notification. I plan to work these features into the theme. Just wanted to get my logic down here before I lose it :-).

I started my work with Staticman by using the Hugo example site from Staticman themselves. Eduardo Bouças (creator of Staticman) did a great job putting this small example site together. I used the post-comments.html partial from this site as the base to begin exploring Staticman. I broke this out into two partials, one for parsing the comments to show and one for the comment form itself. I did this so that later I could add a feature to lock comments on a post if needed.

Now I need to investigate how to handle e-mail notifications. That is when I stumbled upon this gold mine of information from Michael Rose. This article and Michael’s GitHub repo really helped me walk through the logic of e-mail replies as well as how he handled nesting replies. What a GREAT source of information!

Putting it all together:

The first thing I wanted to be sure of was that I did not statically configure anything. I wanted Staticman to act just like another available comment module within the template. Therefor I added the following pieces of information to the Params section of my config.toml file:

staticman_api = "https://api.staticman.net/v2/entry/dancwilliams/networkhobo/master/comments" #Add staticman API URL to enable staticman comments

Then I added some logic to the layouts/_default/single.html file to look for the staticman_api Site.Param, and if existed to add the post-comments.html partial:

{{ if (.Params.comments) | or (and (or (not (isset .Params "comments")) (eq .Params.comments nil)) (.Site.Params.comments)) }}
  {{ if .Site.Config.Services.Disqus.Shortname }}
    <div class="disqus-comments">
      {{ template "_internal/disqus.html" . }}
    </div>
  {{ end }}
  {{ if (.Site.Params.staticman_api) }}
    {{ partial "post-comments" . }}
  {{ end }}
{{ end }}

I then moved on to the creation of the layouts/partials/post-comments.html partial:

<section class="post-comments">
  <h3>Comments</h3>

  {{ $.Scratch.Add "hasComments" 0 }}
  {{ $entryId := .File.BaseFileName }}

  {{ range $index, $comments := (index $.Site.Data.comments $entryId ) }}
    {{ $.Scratch.Add "hasComments" 1 }}
    {{ if not .reply_to }}
      <div class="post-comment">
        <div class="post-comment-header">
          <img class="post-comment-avatar" src="https://www.gravatar.com/avatar/{{ .email }}?s=100">
          <p class="post-comment-info"><strong>{{ .name }}</strong><br>{{ dateFormat "Monday, Jan 2, 2006" .date }}</p>
        </div>
        {{ .body | markdownify }}
      </div>
      <div class="comment__reply">
        <a id="{{ ._id }}" class="btn-info" href="#comment-form" onclick="changeValue('fields[reply_to]', '{{ ._id }}')">Reply to {{ .name }}</a>
          </div>
      {{ partial "comment-replies" (dict "entryId_parent" $entryId "SiteDataComments_parent" $.Site.Data.comments "parentId" ._id "parentName" .name "context" .) }}
    {{ end }}
  {{ end }}


  {{ if eq ($.Scratch.Get "hasComments") 0 }}
    <p>Nothing yet.</p>
  {{ end }}

  {{ partial "comment_form" . }}

</section>

You can see that most of this is pulled from the Staticman Hugo example. I did remove some of the looping and dataset reading that I found to be excessive. You will also see that I added some logic to only present comments that were not replies and to add a button for replies to those comments.

I had to add a piece of JavaScript to the reply button to set the value of the fields[reply_to] hidden input. This field is set to the ._id value of the current parent comment. This allows for the fields to be properly populated by Staticman:

Located here

// Added function to change value onclick
function changeValue(elementName, newValue){
  document.getElementsByName(elementName)[0].value=newValue;
};

Here are examples of the two types of comment YAML files that are created:

Parent Comment:

In the parent comments you will see that the reply_to field is blank.

_id: 74ea2730-ed18-11e7-96e3-b9aaffd0f2aa
_parent: >-
  2013-12-23-cisco-unified-communications-manager-unity-connection-sftp-emergency-backup-to-mac-os-x-over-the-internet
reply_to: ''
name: Dan
email: 9162d0c5aca33e7e4c8ec6fc3d44f541
body: Test comment 1
date: '2017-12-30T04:18:15.955Z'

Child Comment:

In the reply comments you will see that the reply_to field is populated with the ._id value from the parent comment.

_id: f7be83c0-ed1a-11e7-96e3-b9aaffd0f2aa
_parent: >-
  2013-12-23-cisco-unified-communications-manager-unity-connection-sftp-emergency-backup-to-mac-os-x-over-the-internet
reply_to: 74ea2730-ed18-11e7-96e3-b9aaffd0f2aa
name: Reply Tester
email: 53d8e4904144b75f9ada3862b6ebafae
body: Testing a reply to Dan’s comment
date: '2017-12-30T04:36:14.421Z'

This reply_to field is what is used to differentiate parent and child comments.

After a “parent” comment is printed the layouts/partials/comment-replies.html partial is called. This partial looks much like the post-comments partial:

{{ range $index, $comments := (index $.SiteDataComments_parent $.entryId_parent ) }}
  {{ if eq .reply_to $.parentId }}
    <div class="post-comment-reply">
      <div class="post-comment-header">
        <img class="post-comment-avatar" src="https://www.gravatar.com/avatar/{{ .email }}?s=100">
        <p class="post-comment-info"><strong>{{ .name }}</strong><br><i><small>In reply to {{ $.parentName }}</i></small><br>{{ dateFormat "Monday, Jan 2, 2006" .date }}</p>
      </div>
      {{ .body | markdownify }}
    </div>
  {{ end }}
{{ end }}

When this partial is called a dictionary of variables are passed:

{{ partial "comment-replies" (dict "entryId_parent" $entryId "SiteDataComments_parent" $.Site.Data.comments "parentId" ._id "parentName" .name "context" .) }}

These variables allow the replies partial to match the reply_to field against the parent comment ._id field (variable parentId) within this partial. Once a match it hit the same process is used for presenting the comment, with the slight addition of adding a text blurb to say this is a reply to the name of the parent comment author.

After all of the comments and replies for a particular post have been processed, the layouts/partials/comment_form.html partial is called:

<section class="comment_form">
  <a id="comment-form"></a>
  <h3>Say something</h3>

  <form class="post-new-comment" method="POST" action="{{ .Site.Params.staticman_api }}">
    <input type="hidden" name="options[redirect]" value="{{ .Permalink }}#post-submitted">
    <input type="hidden" name="options[redirectError]" value="{{ .Permalink }}#post-error">
    <input type="hidden" name="options[entryId]" value="{{ .File.BaseFileName }}">
    <input type="hidden" name="options[slug]" value="{{ .Permalink }}">
    <input type="hidden" name="options[origin]" value="{{ .Permalink }}">
    <input type="hidden" name="options[parent]" value="{{ .File.BaseFileName }}">
    <input type="hidden" name="fields[reply_to]" value="">
    <input type="hidden" name="options[reCaptcha][siteKey]" value="{{ .Site.Params.recaptcha_siteKey }}">
    <input type="hidden" name="options[reCaptcha][secret]" value="{{ .Site.Params.recaptcha_secret }}">

    <fieldset>
      <input name="fields[name]" type="text" class="post-comment-field" placeholder="Your name">
    </fieldset>

    <fieldset>
      <input name="fields[email]" type="email" class="post-comment-field" placeholder="Your email address">
    </fieldset>

    <fieldset>
      <textarea name="fields[body]" class="post-comment-field" placeholder="Your message. Feel free to use Markdown." rows="10"></textarea>
    </fieldset>

    <fieldset>
      <div class="notify-me">
        <input type="checkbox" id="comment-form-reply" name="options[subscribe]" value="email">
        Send me an email when someone comments on this post.
      </div>
    </fieldset>

    <fieldset>
      <div class="g-recaptcha" data-sitekey="{{ .Site.Params.recaptcha_siteKey }}" data-callback="enableBtn"></div>

      <input type="submit" class="post-comment-field btn" value="Submit" id="submit_button">
    </fieldset>

  </form>

  <script async src='https://www.google.com/recaptcha/api.js' ></script>


  <script type="text/javascript">
    document.getElementById("submit_button").disabled = true;
  </script>

  <script type="text/javascript">
    function enableBtn(){
       document.getElementById("submit_button").disabled = false;
      }
  </script>

  <div id="post-submitted" class="dialog">
    <h3>Thank you</h3>
    <p>Your post has been submitted and will be published once it has been approved.</p>
    {{ if (.Site.Params.githubPullURL) }}
      <p><a href="{{ .Site.Params.githubPullURL }}">Click here</a> to see the pull request you generated.</p>
    {{ end }}
    <p><a href="#" class="btn">OK</a></p>
  </div>

  <div id="post-error" class="dialog">
    <h3>OOPS!</h3>
    <p>Your post has not been submitted.  Please return to the page and try again.  Thank You!</p>
    <p><a href="#" class="btn">OK</a></p>
  </div>

</section>

This form was also taken from the Staticman Hugo example site and modified in a few ways. Multiple hidden input fields were added to support replies as well as subscribing to comment e-mail notifications.

To support e-mail replies we had to add a checkbox to the comment form:

<fieldset>
  <div class="notify-me">
    <input type="checkbox" id="comment-form-reply" name="options[subscribe]" value="email">
        Send me an email when someone comments on this post.
  </div>
</fieldset>

When this checkbox is selected it sets the value of the input options[subscribe] to the given e-mail address. This option is used by Staticman for creating and/or populating the mailing lists in Mailgun.

There is also logic to support reCaptcha. The reCaptcha authorizationis used in two ways:

• It is used by the backend Staticman server (setting in staticman.yml)
• It is used by the submit button on the comment form. The submit button remains disabled until the reCaptcha test is passed.

Once the form is filled out and the comment is submitted one of two things could happen. Within the comment_form partial there is a dialog for submission success and one for failure.

Success Dialog:

<div id="post-submitted" class="dialog">
  <h3>Thank you</h3>
  <p>Your post has been submitted and will be published once it has been approved.</p>
  {{ if (.Site.Params.githubPullURL) }}
    <p><a href="{{ .Site.Params.githubPullURL }}">Click here</a> to see the pull request you generated.</p>
  {{ end }}
<p><a href="#" class="btn">OK</a></p>
  </div>

If the Staticman API call comes back as successful, this dialog is presented. If the configuration parameter githubPullURL is set, a link will be presented to view the pull request created by Staticman. The OK button will take the user back to the beginning of the post.

Failure Dialog:

<div id="post-error" class="dialog">
  <h3>OOPS!</h3>
  <p>Your post has not been submitted.  Please return to the page and try again.  Thank You!</p>
  <p><a href="#" class="btn">OK</a></p>
</div>

If the Staticman API call reports a failure, this dialog is presented. The OK button will take the user back to the beginning of the post.

Summary

This has been a fun project that I have been working on for some time. I have learned a lot about all of the components of Hugo and hope that some people will show me better/cleaner/more efficient ways of handling this.

In this post I tried to cover everything from my notes, but if I forgot something I will be sure to update.

Thanks for taking the time to read this and I hope you find it helpful. Feel free to comment here and/or reach out to me on Twitter (@dancwilliams) if you would like to discuss any of this.

Thanks again!

Lagniappe

When I was migrating from Wordpress to Hugo + Staticman I wanted to be sure to migrate all of my existing comments. There was a lot of good stuff in there and I didn’t want to lose it. Since Wordpress provides a full export of your site in an XML document, I wrote a little Python script to extract the comments and create the YAML files. It even preserves the nesting. Here is a link to the script in GitHub.

GitHub Repo:

Intro to Ansible for Networkers - GitHub Repo

Below is a list of the technology I use in this lab environment:

• pfSense SG-1000 running 2.4 BETA
• Cisco VIRL_ — Core 0.10.29.12_
• VMWare ESXi 5.5 Update 1
• Generic VLAN Aware Layer 2 Switching

I will not go through the entire installation of Cisco VIRL. I am just going to go through what I do in my personal environment to allow the FLAT & FLAT2 networks to be routable to the world. I have the SNAT network setup in a similar fashion, but I do not often use it so I will only mention SNAT this once.

I will also not go through the process of adding VLANs and interfaces to the pfSense SG-1000. If this is something you would like me to cover in more detail just leave a comment or shoot me a tweet and I would be glad to help you out!

Instead of using the stock 172.16.1.0/24 & 172.16.2.0/24 FLAT networks, I have updated the VIRL configuration for my local environment. This evolved changing the second octet from 16 to 23. Once that is completed I saved the changes in the VIRL admin portal and allowed it to go through the LENGTHY process of reconfiguration. This takes a while…grab a drink…

After that I setup a VLAN (I used 200) and assigned it to an new interface on my pfSense SG-1000. I then give that interface the gateway IP of the FLAT network (172.23.1.0/24) and enable:

After everything is saved I added the FLAT2 gateway as a secondary virtual IP on the same interface:

After this configuration is done all that is left is to add a rule to allow traffic to pass through the interface. The last rule in this list in the one that allows all traffic originating on the Interface to access the Internet. The top three rules are added by pfBlockerNG, a package I highly recommend if you are a pfSense user!

Note…you DO NOT need to enable DHCP on your pfSense box! DHCP is handled by the VIRL system.

Ok, now all the pfSense prep is complete! Take the time to trunk your new VLAN through your infrastructure and into your VMWare environment. Once the VLAN is in ESXi it is as easy as applying the VLAN to the FLAT and FLAT2 interfaces on your VIRL VM. In most cases this is Network adapters 2 & 3:

Once this is complete you should be able to ping the gateway IPs from the FLAT (br1) and FLAT2 (br2) interfaces:

Great! Now…how do you use this in a simulation? I created a quick two nod simulation to show the usage. The main thing to pay attention to is the use of the “Shared flat network” setting in the Management Network dropdown while you are designing your sim. You get to this Properties screen by clicking the background in the simulation window:

Now save your sim and launch it. Once you launch the sim you will see that the nodes show “ACTIVE — UNREACHABLE”. Also, if you right click on the device and hover over “Telnet…” you will see that a 172.23.1.X IP has been assigned to the management port on the device:

While the IP is assigned to the device, it is not automatically configured on the device. If you log into the console of the device you will see that there are two interfaces, even though only one is shown on the sim. The first interface, Gi0/0 in this case, is connected to the imaginary back-end management network. You will need to configure this interface to use DHCP. It will pull the IP it has been assigned and you should be able to ping out to the gateway and beyond. I recommend using a mangement VRF just like you would in production. This way management will not interfere with your lab. See my config below:

As you see from the output above, DHCP hands out the IP VIRL has assigned. It must be noted this IP will change every time you launch the sim! So, how do you set a static IP? See the screen cap below. In the latest Alpha: While in the design pane you would click on the device, then scroll down to the bottom where it asks you to enter the Management address. If you enter an address that is not in the management scope, it will error when you try to launch the sim. In earlier versions of VIRL you will need to enter the static_ip extension manually. I have captured that in a screen shot as well.

Now when you launch the sim you will see that the telnet IP for node 1 is the static IP we assigned:

You will also notice that the device become reachable after you configure the management IP properly:

Now you just need to configure your remote access method of choice (Telnet/SSH) and you are off to the races!

I hope this helps and if you have any questions, corrections, or additions please leave a comment or hit me up on twitter!

All of the conclusions below were based off of my individual findings dealing with Vue and my cable provider. But, I used some parts of pfSense that a lot of people talk about and I thought it would be good to put it on paper for others to find.

For all of the pfSense examples below I am using pfSense 2.4.0-BETA on an Netgate SG-1000.

The Issue

When the decision to cut the cord it was with much excitement about the upcoming experimenting with different content providers. Firs we tested hardware and ended up settling on the Amazon FireTV. Then we started a free trial of both Sling and Playstation Vue. While going back and forth between the two I started to notice an issue. Sling was streaming without issue while we kept getting queued up with Vue.

I began to investigate. At the time I was running the system wireless through a Ubquiti UniFi setup, through our pfSense firewall, and out of our cable connection (70 down, 4 up). I noticed that while streaming Slack the data flow looked steady. But, when Vue was streaming, there were constant spikes in upload and download utilization. This really got me thinking…why would we be seeing spikes in both directions with a streaming service?

I started investigating. After digging and digging I finally found a post (which I can no longer find the link to…) that shed some light onto the subject. It was a description of the mechanism used by the Vue app to proactively monitor the bandwidth available to stream. It basically said that the due app was running a small bandwidth test periodically to test the available bandwidth for streaming.

This got me thinking about my cable internet provider. I had often run into issues with my link quality becoming garbage anytime I hit the limit on 70 down & 4 up on our account. The policing the company used was vicious and would drop packets like mad.

The Quick Test

I believed these periodic bandwidth tests were causing my providers aggressive policing to kick in and trash my link. To test my hypothesis I decided to put two limiter rules on my firewall. One was named upload and one was name download. I set the upload bandwidth to 2 meg and the download bandwidth to 5 meg (since this is the advertised Vue usage). I then put a rule on the LAN interface of my pfSense to catch traffic from my FireTV and apply the limiter.

After setting up this quick test I cleared my current firewall states so all the flows would be caught by the new rules. We fired up a show on Vue and I watched the limiters. Everything was working as it should on the firewall. Also, the stream was solid and I was not seeing the traffic spikes we were seeing earlier. I was seeing some drops on the limiters, but they did not seem to be affecting the quality of the stream.

I decided to put this into a more sustainable configuration so that I could maintain it moving forward, and make it scalable as we added FireTVs in other rooms of the home.

The Long Term Solution

Since we were planning to add more FireTVs to the home I decided to:

1. Create static DHCP reservations for the devices
2. Create a host alias group in pfSense that contains all of the devices
3. Create an upload and download limiter
4. Create a rule a firewall rule on my LAN interface to catch traffic and apply the limiter.

1. Create Static DHCP Reservations

To be sure I grabbed the proper devices each time, and to prevent myself from having to configure static IPs on my devices, I decided to use static DHCP reservations. Luckily static IP reservations are very easy in pfSense. I went to Status > DHCP Leases and found my FireTV. I then select the white background plus sign:

This will take you to the “Static DHCP Mapping on LAN” page. Here you will fill out all the information required for your environment. The only requirement is IP Address. The rest of the fields will accept the default settings from your DHCP configuration.

2. Create a Host Alias Group in pfSense That Contains All of the Devices

Once the static DHCP reservation is complete we move on to creating the alias group. For this I went to Firewall > Aliases > IP and clicked the “+ Add” button at the bottom of the list. Luckily for us the aliases setup within pfSense is very straightforward! Enter a desired name & description. Then make sure “Host(s)” is selected in the “Type” dropdown. After this add your new static IP to the “IP or FQDN” field. If you have more devices to add to this group just click the “+ Add Host” button and add as many as you need!

3. Create an Upload and Download Limiter

Now that we have our devices statically addressed and in an alias group we move on to configuring the limiters. We will need one limiter for the upload side and one for the download side. You will see why in the creation of the rule to catch traffic.

To configure a limiter is pfSense go to Firewall > Traffic Shaper > Limiters and select “+ New Limiter”. Below I have a screenshot of my AmazonTV_Download Limiter:

There are a lot of other fields available, but these are the basic ones that need to be filled out. I also created another limiter named AmazonTV_Upload. This one is set to 2 Mbit/s. I could probably lower that, since my FireTV shouldn’t be uploading anything to the Internet…

Once these are created be sure to save and apply your changes!

4. Create a Rule a Firewall Rule on My LAN Interface to Catch Traffic and Apply the Limiter.

This is where the rubber hits the road! Once all of the other pieces are configured we are ready to create a firewall rule to apply the limiters to the traffic. To do this we go to Firewall > Rules > LAN (because all of my FireTV devices are on the LAN network).

Here we select the “Add” button with the arrow pointing up. This is chosen so that the new rule will catch the FireTV traffic before it hits any other rules on the LAN interface. Depending on your rule setup you may need this rule to be elsewhere. If you are using floating rules always be mindful of your order of operations within the firewall. Floating rules are processed first!

I have included a screenshot of my Amazon FireTV rule below. You will see that I am using the alias group as the source with any as the destination matching on any protocol. The limiter is configured under the advanced options, so you will need to click the “Display Advanced” button at the bottom of the rule. At the bottom of the Advanced section you will see “In / Out Pipe”. This is where we put our limiters to use!

I like to pretend I am standing on the firewall looking at the device. So, the “In” pipe is where you put your upload rule and the “Out” pipe is where you put your download rule. They have added some language to explain this in the section.

Once the rule is saved and applied all you need to do is power cycle your FireTV so it will pick up the new IP reservation and then everything should start working.

Monitoring

To monitor your limiters go to Diagnostics > Limiter Info. Here you will see the real time data pertaining to the usage of your configured limiters. I have included the output from mine below as an example:

Final Thoughts

This is just one way I have used limiters. They are a VERY powerful tool in the pfSense arsenal!

If there are any questions/feedback/corrections please feel free to reach out in the comments below!

I thought I would make a quick post about how I reset the toner counters on my brother HL-3170CDW. I find myself having to search for these steps every few months.

The Request:

I love my brother HL-3170CDW printer (CLICK HERE). It performs great and always works for us. The one thing I do not like is buying toner cartridges…and I have yet to do so! I have owned this printer since August 13, 2013 and have yet to replace the toner even though I use it regularly. My current page count is a total 1,432 pages with 1,009 being color and 423 being monochrome and I am still using the starter cartridges that came with the printer. The brother spec sheet (CLICK HERE) states that the starter cartridges are good for 1,000 pages each, but I have been given the “Toner Low” error almost 3 times now.

The Solution:

The secret behind the continual use of the toner cartridges is the ability to reset the counters so the printer thinks the cartridges are new again. I will continue to do this until print quality decreases. Below are the steps to reset the counters. I always reset all cartridges…just to save myself time.

1. Open the top lid of the printer and leave ajar.
2. Press and hold the “Secure” and “X Cancel” buttons.
3. Use the arrow keys to select the cartridge model you would like to reset and press “OK”.
4. Press the UP arrow to reset the cartridge.
5. Once reset is selected you will see “ACCEPTED” on the screen.

After you perform the reset for the needed cartridges just close the printer lid and hit “X Cancel” to exit back to the main menu. DONE! From time to time I also use the cartridge sliders to clean the wires and preventative maintenance to keep the printer running in good shape.

Thanks!

I would like to say thank you to the following resources:

• YouTube

I have a client with a data center, a headquarters/DR site, and a lot of branches spread out all over the world with Internet connectivity.

They are currently using static IPSEC Internet facing VPNs to connect to their data center and HQ environemts, but the company is hitting a growth spurt and they are quickly realizing this solution is becoming difficult to scale and manage with their limited in-house IT staff.

The client wanted to stick with Internet based VPNs for connectivity. They also wanted a solution that would allow them to easily stand up a new remote site quickly with a template configuration and provide tunnel redundancy between the data center and HQ locations. They also wanted direct site-to-site communications when necessary.

The Solution:

The examples below are from my lab. They are working in production with different crypto algorithms.

Since this client has an existing Cisco routing environment and plans to continue to use Cisco routers it was decided that a DMVPN setup would work best to met their needs. To provide the type of connectivity they desired a Phase 3 dual-hub setup would be the best bet.

The client also had an existing EIGRP setup that ran between the HQ and data center over an existing GRE tunnel. This GRE tunnel will be removed and replaced with the DMVPN as well. There is nothing special with the EIGRP configuration used on the routers when using this DMVPN setup besides the EIGRP aggregate statements we will place on the hub tunnel interfaces.

First lets look at the standard crypto config that goes on all routers, both hub and spoke:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key t3$tk3y address 0.0.0.0        
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TRANSSET ah-sha-hmac esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile VPNPROF
 set transform-set TRANSSET

For the following tunnel interface examples we need to lay out an example IP scheme so everything makes sense:

• EIGRP AS: 1
• Data Center
  • WAN IP: 1.1.1.1
  • Tunnel100: 10.100.0.1
  • LAN 1: 192.168.10.0/24
  • LAN 2: 192.168.11.0/24
• HQ
  • WAN IP: 2.2.2.2
  • Tunnel100: 10.100.0.10
  • LAN 1: 192.168.20.0/24
  • LAN 2: 192.168.21.0/24
• SPOKE 1
  • WAN IP: 3.3.3.3
  • Tunnel100: 10.100.0.20
  • LAN: 192.168.41.0/24
• SPOKE 2
  • WAN IP: 4.4.4.4
  • Tunnel100: 10.100.0.30
  • LAN: 192.168.51.0/24

Lets look at the configuration for our first hub…the Data Center:

interface Tunnel100
ip address 10.100.0.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
ip pim dr-priority 100
ip pim sparse-dense-mode
ip nhrp authentication t3$tk3y
ip nhrp map multicast dynamic
ip nhrp map multicast 2.2.2.2
ip nhrp map 10.100.0.10 2.2.2.2
ip nhrp network-id 100
ip nhrp holdtime 360
ip nhrp nhs 10.100.0.10
ip nhrp shortcut
ip nhrp redirect
ip summary-address eigrp 1 192.168.0.0 255.255.0.0
ip summary-address eigrp 1 192.168.10.0 255.255.255.0
ip summary-address eigrp 1 192.168.11.0 255.255.255.0
ip tcp adjust-mss 1416
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile VPNPROF

For this hub config you will see a few different things.

First you will see that in addition to the standard DMVPN dynamic statements you will also see a static config that is pointing to the second hub, in this case the HQ site.

You will also see the command ip nhrp shortcut and ip nhrp redirect. These commands enable the smooth creation of spoke-to-spoke tunnels and are additions in Phase 3.

Now for the summary addresses…

First we want to cover the entire private IP space that could be used inside the organization. Since this organization uses strictly 192.168.X.X space we place the 192.168.0.0/16 aggregate on the hub tunnel. But, since this is a dual-hub design, we also need to place the site specific aggregates on the tunnel as well. Since this sites design does not allow us to cleanly roll up the subnets each /24 was added as a separate statement.

The reason behind these aggregates is because the spoke will only see routes from the hub. In DMVPN Phase 3 the EIGRP relationship only exists between the spoke and hub. When a spoke tries to route to the IP space of another spoke the hub will pass the more specific route via an NHRP message and inject it into the spoke as an H designated route. The more specifics allow the traffic to flow directly to the hub that possesses that IP space. If the more specific aggregates were not configured both hubs would only advertise the /16 aggregate and this could lead to less than optimal routing.

Now lets look at the HQ tunnel remembering that HQ is the second hub:

interface Tunnel100
ip address 10.100.0.10 255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
ip pim dr-priority 95
ip pim sparse-dense-mode
ip nhrp authentication t3$tk3y
ip nhrp map multicast dynamic
ip nhrp map multicast 1.1.1.1
ip nhrp map 10.100.0.1 1.1.1.1
ip nhrp network-id 100
ip nhrp holdtime 360
ip nhrp nhs 10.100.0.1
ip nhrp shortcut
ip nhrp redirect
ip summary-address eigrp 1 192.168.0.0 255.255.0.0
ip summary-address eigrp 1 192.168.20.0 255.255.255.0
ip summary-address eigrp 1 192.168.21.0 255.255.255.0
ip tcp adjust-mss 1416
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile VPNPROF

As you can see the configuration is close to identical except for the static NHRP configuration, the EIGRP aggregates, and the PIM DR priority.

Now that we have our hubs configured we can put together the configuration for our spokes. This tunnel config will be used over and over again as new spokes are rolled out. Since the HQ and Data Center IPs remain static the only thing that needs to be changed for each spoke would be the tunnel interface IP address and the source interface.

Remember…the spokes use the same crypto config as the hubs:

interface Tunnel100
 ip address 10.100.0.20 255.255.255.0
 no ip redirects
 ip pim sparse-dense-mode
 ip nhrp authentication t3$tk3y
 ip nhrp map multicast 1.1.1.1
 ip nhrp map multicast 2.2.2.2
 ip nhrp map 10.100.0.1 1.1.1.1
 ip nhrp map 10.100.0.10 2.2.2.2
 ip nhrp network-id 100
 ip nhrp holdtime 360
 ip nhrp nhs 10.100.0.1
 ip nhrp nhs 10.100.0.10
 ip nhrp registration no-unique
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1416
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile VPNPROF

Pretty basic right? This config will create static DMVPN tunnels to both hubs. When you run a show dmvpn command you will see the following output on the spoke:

SPOKE1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel100, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
    1  1.1.1.1         10.100.0.1       UP   01:20:18    S
    1  2.2.2.2         10.100.0.10      UP   01:20:08    S

Great! The spoke is now up and connect to the hubs! Lets take a look at the routing table: Routing table truncated to show relevant pieces

SPOKE1#sh ip route

 10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C        10.100.0.0/24 is directly connected, Tunnel100
L        10.100.0.20/32 is directly connected, Tunnel100
D        10.254.254.1/32  [90/27008000] via 10.100.0.1, 01:23:00, Tunnel100
D        10.254.254.10/32 [90/27008000] via 10.100.0.10, 01:23:00, Tunnel100
D        10.254.254.30/32 [90/28288000] via 10.100.0.10, 01:23:00, Tunnel100
D     192.168.0.0/16 [90/27008000] via 10.100.0.10, 01:23:00, Tunnel100
                     [90/27008000] via 10.100.0.1, 01:23:00, Tunnel100
  192.168.41.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.41.0/24 is directly connected, Loopback1
L        192.168.41.1/32 is directly connected, Loopback1
D     192.168.10.0/24 [90/27008000] via 10.100.0.1, 01:23:00, Tunnel100
D     192.168.11.0/24 [90/27008000] via 10.100.0.1, 01:23:00, Tunnel100
D     192.168.20.0/24 [90/27008000] via 10.100.0.10, 01:23:00, Tunnel100
D     192.168.21.0/24 [90/27008000] via 10.100.0.10, 01:23:09, Tunnel100

As you see we only have the aggregates in the spoke routing table. Now lets try to ping the LAN IP space on SPOKE 2. Lets look at the show dmvpn once again:

SPOKE1#ping 192.168.30.1 source Lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.114.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
SPOKE1#sh dmvpn                     
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel100, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:3, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
      1 1.1.1.1         10.100.0.1        UP 01:30:11     S
      1 2.2.2.2         10.100.0.10       UP 01:30:01     S
      2 4.4.4.4         10.100.0.30       UP 00:00:29     D
                        10.100.0.30       UP 00:00:29   DT1

Nice! The dynamic tunnel popped up without a problem. The following route was added to the routing table:

H     192.168.30.0/24 [250/1] via 10.100.0.30, 00:04:38, Tunnel100

Just like we expected…NHRP has injected the more specific with the H designator. Now, if either of the hubs were to fail the other hub would continue to act as the NHRP server and the dynamic environment would continue to function.

Conclusion:

DMVPN is a very useful tool in a Cisco routed environment. It can make rolling out new spokes very easy. There are also many ways to customize this environment. I see a lot of clients that will place the routers Internet interface and Internet default route into its own VRF and then have the tunnel passing routes into the global table. Then the hub will pass a default to the spoke and force all traffic through the hub. This allows for filtering and other security measures to be taken centrally.

THANKS!

Thanks for taking the time to read this. I hope you find it helpful! Please feel free to leave comments or contact me via twitter (@dancwilliams) if you have any questions or feedback.

Now that Cisco has included SSL VPN licensing as part of the 15.3(3)M IOS I have had multiple clients ask about turning on the capability and reaching back into Active Directory for authentication.

The Solution:

The equipment I used to lab this solution:

• Cisco 881 w/ IOS 15.3(3)M3 (10.0.1.238)
• Windows Server 2008 R2 (10.0.1.231)

First we will go through the steps to configure the RADIUS server on Windows so we have access to Active Directory for authentication. You must first ensure the “Network Policy and Access Services” role is installed on the server. Once this role is installed we will go into NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Here will will configure our router as a RADIUS Client. Be sure to make note of the key you specify here as you will need it when configuring the RADIUS server on the router.

Once our RADIUS client is configured we will move on to configuring the Network Policies in NPS (Local) > Policies > Network Policies and clicking NEW under Actions.

Under the Conditions Tab you will want to add a Windows Group that contains your users that are allowed VPN access and a NAS IPv4 Address to specify the requesting router.

Under the Constraints tab you will only select Unencrypted Authentication (PAP, SPAP).

The Settings tab can be left at default. Make sure that you move your new policy to the top of the list!

Now that we have the Windows Server piece configured we can move on to the configuration of the router. I have included the main configuration blocks below. Be sure to bind radius requests to the interface with the IP you specified in the Windows Server configuration or else requests may fail. Depending on the environment some people choose to use a loopback address for this.

Note: The only interface I have configured on this router is the Fa4 interface with the IP 10.0.1.238 which is plugged into my lab environment. Also, when you first issue the webvpn gateway NAME command and self-signed cert and trustpoint will be configured. I have included a reference doc at the bottom that goes through the SSL VPN config in more detail.

aaa new-model
!
radius server RADIUS 
address ipv4 10.0.1.231 auth-port 1645 acct-port 1646 
key XXXXXXXXX
!
aaa group server radius TEST881
 server name RADIUS
!
ip radius source-interface FastEthernet4 
!
aaa authentication login SSL_VPN group TEST881 local
!
webvpn gateway SSLVPN_Gateway
    ip address 10.0.1.238 port 443  
    http-redirect port 80
    ssl trustpoint TP-self-signed-4045373729
    inservice
!
webvpn context SSLVPN_Context
    title "Network Hobo VPN"
    login-photo file flash:/Blog_LOGO.png
    logo file flash:/Blog_LOGO.png
    login-message "Secure Access"
    aaa authentication list SSL_VPN
    gateway SSLVPN_Gateway
    !
    ssl authenticate verify all
    !
    url-list "Internal Sites"
        heading "LAB"
        url-text "CACTI" url-value "http://10.0.1.241"
        url-text "IOU-WEB" url-value "http://10.0.1.34"
    inservice
    !
    policy group SSLVPN_DefaultPolicy
        url-list "Internal Sites"
    default-group-policy SSLVPN_DefaultPolicy

Once you have your RADIUS server and additional aaa config in place you can test RADIUS authentication using the following command:

TEST_881#test aaa group radius dwilliams Test1Test1 legacy 
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

Next you can navigate to your SSL VPN site and attempt to log in. Everthing should be good to go if you have followed the steps above.

Conclusion:

The ability to implement the Cisco IOS SSL VPN and tie it back into AD without any additional cost or licensing is a big thing to many of my clients. This will give many existing organizations a new capability to lock down their edge and really enhance remote access capabilities with the investment of a little time and possibly some consulting dollars. While I mainly focused on authenticating through AD/RADIUS in this article there are many other capabilities of the SSL VPN that I did not cover. Maybe in a future write up…

THANKS!

I would like to say a quick thank you to the following references while I was working through this:

• Clientless SSL VPN on Cisco IOS Router - Knowledge Base

I have a client with multiple 6807 VSS pairs that required an IOS upgrade. All of the pairs have a single SUP2-T in each chassis and were in the 15 code train. Although the ISSU process is very straight forward I wanted to put this quick process up as I had to search through multiple documents to gather all the pieces I needed to knock it out.

The Solution:

Since these switches were in the proper code train to utilize ISSU I decided that was the best route to go. It also helps that everything was already dual-homed. This process is for VSS pairs with only one SUP per chassis! If you have another configuration you can reference the Cisco document provided at the bottom of the post. Some example text was taken from the Cisco Document referenced below One of the first things you want to verify is that there is a current boot variable configured on the VSS pair pointing to the version of code that is running currently. Some devices only have one version of code on the bootdisk so there is not a boot variable configured. For the ISSU to perform properly you MUST configure the boot variable:

Router(config)# boot system flash bootdisk:s72033-oldversion.v1

Next you will want to download the new image from your favorite file transfer spot to your bootdisk. I prefer to use FTP:

Router# copy ftp: bootdisk:
Address or name of remote host []? test.ftp.local
Source filename []? s72033-newversion.v2
Destination filename [s72033-newversion.v2]?
Accessing ftp://test.ftp.local/s72033-newversion.v2...!!!!! Complete

Once the image is downloaded you will want to copy the image over to the slavebootdisk:

Router# copy bootdisk: slavebootdisk:
Source filename []? s72033-newversion.v2
Destination filename [s72033-newversion.v2]?
Copy in progress...CCCCCCCCCCCCCCC Complete

After you have the images on both bootdisks you can begin the ISSU process. The first step is to verify the VSS pair is ready for the ISSU upgrade:

Router# show issu state detail
Slot = 1/3
RP State = Active
ISSU State = Init
Boot Variable = bootdisk:s72033-oldversion.v1,12;
Operating Mode = sso
Primary Version = N/A
Secondary Version = N/A
Current Version = bootdisk:s72033-oldversion.v1
Variable Store = PrstVbl

Slot = 2/3
RP State = Standby
ISSU State = Init
Boot Variable = bootdisk:s72033-oldversion.v1,12;
Operating Mode = sso
Primary Version = N/A
Secondary Version = N/A
Current Version = bootdisk:s72033-oldversion.v1

Router# show redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Secondary
Unit ID = 18

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Redundancy State = sso
Maintenance Mode = Disabled
Communications = Up

client count = 132
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 0
keep_alive threshold = 18
RF debug mask = 0x0

Once the pair is verified to be good to go you will want to load the new image onto the standby chassis. This will load the new code on the standby and reload the chassis. If you have EVERYTHING DUAL HOMED you will not see an interruption in traffic.

Router# issu loadversion bootdisk:s72033-newversion.v2

000133: Aug 6 16:17:44.486 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/3/4, changed state to down
000134: Aug 6 16:17:43.507 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/3/4, changed state to down
000135: Aug 6 16:17:43.563 PST: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/3/4, changed state to down
000136: Aug 6 16:17:44.919 PST: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/3/4, changed state to down

(Deleted many interface and protocol down messages)

%issu loadversion executed successfully, Standby is being reloaded

(Deleted many interface and protocol down messages, then interface and protocol up messages)

0000148: Aug 6 16:27:54.154 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/3/5, changed state to up
000149: Aug 6 16:27:54.174 PST: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/3/5, changed state to up
000150: Aug 6 16:27:54.186 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/3/5, changed state to up
000151: Aug 6 16:32:58.030 PST: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

During the process you will want to run the following command until you see that the ISSU Sub-State is Load Version Complete:

Router# show issu state detail
Slot = 1/3
RP State = Active
ISSU State = Load Version
Boot Variable = bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = bootdisk:s72033-oldversion.v1
Secondary Version = bootdisk:s72033-newversion.v2
Current Version = bootdisk:s72033-oldversion.v1
Variable Store = PrstVbl

Slot = 2/3
RP State = Standby
ISSU State = Load Version
Boot Variable = bootdisk:s72033-newversion.v2,12;bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = bootdisk:s72033-oldversion.v1
Secondary Version = bootdisk:s72033-newversion.v2
Current Version = bootdisk:s72033-newversion.v2

Router# show redundancy status
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Secondary
Unit ID = 18

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Redundancy State = sso
Maintenance Mode = Disabled
Communications = Up

client count = 132
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0

Once this state is reached you will want to go into the next step to force a switchover to the standby chassis that is running the new code and being upgrading the remaining chassis. Once you issue the runversion command it will start a rollback timer that is by default set to 45 minutes. If you do not commit the version (next step) before the timer runs out the upgrade will be rolled back!

Router# issu runversion
This command will reload the Active unit. Proceed ? [confirm]
(Deleted many lines)

Download Start
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(Deleted many lines)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Download Completed! Booting the image.
Self decompressing the image : ##########################################################################################
(Deleted many lines)

running startup....

(Deleted many lines)

000147: Aug 6 16:53:43.199 PST: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

Once the chassis has rebooted we will once again want to verify the ISSU state and redundancy state:

Router# show issu state detail
Slot = 2/3
RP State = Active
ISSU State = Run Version
Boot Variable = bootdisk:s72033-newversion.v2,12;bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = bootdisk:s72033-newversion.v2
Secondary Version = bootdisk:s72033-oldversion.v1
Current Version = bootdisk:s72033-newversion.v2
Variable Store = PrstVbl

Slot = 1/3
RP State = Standby
ISSU State = Run Version
Boot Variable = bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = bootdisk:s72033-newversion.v2
Secondary Version = bootdisk:s72033-oldversion.v1
Current Version = bootdisk:s72033-oldversion.v1

Router# show redundancy status
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Primary
Unit ID = 39

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Redundancy State = sso
Maintenance Mode = Disabled
Communications = Up

client count = 134
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0

You will now want to commit the new version to reload the standby chassis and have it run the new image:

Router# issu commitversion
Building configuration...
[OK]
000148: Aug 6 17:17:28.267 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/3/4, changed state to down
000149: Aug 6 17:17:28.287 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/3/4, changed state to down

(Deleted many interface and protocol down messages)

%issu commitversion executed successfully

(Deleted many interface and protocol down messages, then interface and protocol up messages)

000181: Aug 6 17:41:51.086 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/3/5, changed state to up
000182: Aug 6 17:42:52.290 PST: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

Once this has completed your entire VSS pair will be upgraded. You can verify the upgrade by once again checking the ISSU & redundancy state:

Router# show issu state detail
Slot = 2/3
RP State = Active
ISSU State = Init
Boot Variable = bootdisk:s72033-newversion.v2,12;bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = N/A
Secondary Version = N/A
Current Version = bootdisk:s72033-newversion.v2
Variable Store = PrstVbl

Slot = 1/3
RP State = Standby
ISSU State = Init
Boot Variable = bootdisk:s72033-newversion.v2,12;bootdisk:s72033-oldversion.v1,12
Operating Mode = sso
Primary Version = N/A
Secondary Version = N/A
Current Version = bootdisk:s72033-newversion.v2

Router# show redundancy status
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Primary
Unit ID = 39

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Redundancy State = sso
Maintenance Mode = Disabled
Communications = Up

client count = 134
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0

Conclusion:

Once I found all of the information I needed this was a very easy process and actually did not take as long as I expected. The boot variable was one issue I ran into but once I figured out what it was asking for that was easy to fix. Another thing to be mindful of is that after the upgrade process your original active processor will be the standby processor.

THANKS!

I would like to say a quick thank you to the following references while I was working through this:

• Cisco Release 15.1SY Supervisor Engine 2T Software Configuration Guide

6. If you do not have a FQDN for your nameserver you will want to create an A record pointing to its IP:

THANKS!

I would like to that Glen Kemp who began discussing this topic with me. I thought I should put this up even though GoDaddy clearly supports this procedure in their Support Forums.

I thought I would make a quick post around how I prepare audio files for deployment in Unity Connection, Communications Manager, Contact Center Express, and other Cisco UC¹ products. This post will be focused around Unity Connections but the same method can be used for all applications.

The Request:

Due to inclement weather conditions in the southeast I had multiple clients that needed emergency messages uploaded to their Unity Connection auto attendants. I have some clients that have call handler managers and record and configure their own messages on the systems. But, I have quite a few that would much rather just record a message with whatever is handy (an iPhone more and more these days) and e-mail it to me for uploading and configuration.

The Solution:

I like to use the Switch application by NCH Software for this task. For the amount of time I spend performing this task I find the software to be extremely easy to use, accepting of every format I have thrown at it, and relatively inexpensive. I thought the best way to show how to do this would be by shooting a quick video:

Also here is a quick screen shot of the settings for the WAV conversion so it will be in the format Cisco likes! I know we have all run into this especially with things like music on hold…

Conclusion:

This is just a short post on a topic I am asked about often. I am sure there are MANY different ways to accomplish this task using many different tools and methods. I would love for you all to share your method in the comments so we can all learn!

Two new Nexus 7Ks have been installed at one of my client’s data centers. Management connectivity was brought up to the data center core and verified. I was given console access and told to configure TACACS+¹ authentication and authorization on the F2 VDC².

The Solution:

Configuring TACACS+ on the Nexus 7K is totally different than on IOS and even different than on the Nexus 5K equipment. It also requires a certain order of operations and there is one solid “gotcha” that most people run into. But, knowing these going in will make this a painless procedure. The first thing to remember is that you MUST enter the TACACS+ server key UNENCRYPTED. Most templates within many organizations I work with keep the TACACS+ key in its encrypted format within template documents. Entering it into a Nexus 7K in this format WILL NOT WORK. Been there…done that… First you will need to make sure the TACACS+ feature in enabled on the NEXUS 7K by entering the following command:

config
feature tacacs+

Now you will need to decide how to configure your TACACS+ server keys. You can either configure a global key for all servers or on a per-server basis: Global Key:

tacacs-server key 0 TESTKEY

Per-Server Key:

tacacs-server host X.X.X.X key 0 TESTKEY

Now you will need to list all of your TACACS+ hosts. Previously I showed you how to enter a host with a per-server key. If you use a global key you will use this command:

tacacs-server host X.X.X.X

Now we need to configure a TACACS+ group to use for authentication, authorization, accounting, etc. Here is an example:

aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME

The servers you enter into the group must first be defined as tacacs-server hosts as shown in the previous configuration . If you know this fact going in it is a huge time saver! It is also recommended that you configure the VRF that you would like to use for TACACS+ access. If you have no VRFs configured just use the following code to use the default VRF:

use-vrf default

Now you want to tell the Nexus 7K where to source the request from. For example if you were to use VLAN 2 for the TACACS+ source interface you would use the following code:

ip tacacs source-interface vlan 2

Some organizations also like to use directed requests to allow certain groups point their logins toward certain authentication servers outside of the standard group configuration. The command that allows this to happen is:

tacacs-server directed-request

After all of this has been configured you are ready to add your authentication strings and test. I always recommend ensuring authentication works before configuring anything further, especially authorization as it can definitely slow down the process. The aaa string you need to enter is as follows:

aaa authentication login default group TESTNAME

Now you can test using the following command:

test aaa group TESTNAME username password

This will allow you to verify TACACS+ is working properly. Once this is confirmed you can move on to the authorization and accounting configuration:

aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

I have included the full config below. If commands are entered in this order you will be good to go!

config
feature tacacs+
tacacs-server key 0 TESTKEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME
ip tacacs source-interface vlan 2
tacacs-server directed-request
aaa authentication login default group TESTNAME
aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

Conclusion:

I had a selfish motive for writing this post…I was tired of join through it over and over again. If the order of operations is followed properly, and the gotchas are avoided, this can be a fun and painless procedure. I hope this helps everyone and if you have any questions or improvements just let me know!

THANKS!

I would like to say a quick thank you to the following references while I was working through this:

• Josh O’Brien (@joshobrien77) over at staticnat.com! You post on Nexus 7000 TACACS+ helped a TON. You can read it here.
• Cisco Nexus 7K Security Design Guide
• Cisco Nexus 7K TACACS+ Example

I was engaged by a long time client who was having an issue with their local SFTP¹ server. After some upgrades to their server infrastructure they noticed their phone/voicemail system had not been backed up in MONTHS! They asked if there was a way for me to perform an “emergency” backup to my system if they gave the voice VLAN access to the Internet temporarily while they fixed their SFTP issues.

The Solution:

It just so happened that when the client called me I was out of the office and working from the family home for the holidays. Here is the equipment I had available to me:

• Apple Airport Express MC414LL/A (Internet Gateway)
• MacBook Pro w/ OS X Mavericks 10.9.1

The Cisco phone system consists of the following components:

• Cisco CUCM² 9.0
• CUC³ 9.0

This process is the same on both the CUCM and CUC. There are additional services to backup under CUC but the backup system is identical. The first thing I needed to do was access the phone system and verify Internet connectivity. I used RDP⁴ to access the client’s management server. Once logged in I accessed the phone system to verify Internet connectivity. This is done by logging into Cisco Unified OS Administration web page then going to Services > Ping and trying to ping an outside address (4.2.2.2 in this example):

Once Internet connectivity from the phone system was verified I moved on to configuring my local system to accept the transfer. First I configured NAT on the Apple Airport Express to pass SSH (port 22) from the Internet to my laptop. Below are the screenshots: First we access the Airport Utility and click on the Internet access router. Make note of the IP Address as you will need it later:

Next we click “Edit” and go to the “Network” tab. Then click the “+” below the “Port Settings” field:

Next use the drop down to select the “Remote Login - SSH” service and point it to the IP of your laptop. Click “Save” and then apply the configuration to the Airport Express:

Once this was configured I moved on to configuring my laptop to accept SSH connections. This process is pretty straight forward and I have included screenshots below:

Once SSH was configured on the laptop it was time to configure a backup device on the phone system and perform a manual backup. Below are the screenshots: First I accessed the Disaster Recovery System > Backup > Backup Device and configured a new device. You would replace the X.X.X.X with you Internet/Public IP address that you got off of your Airport Express. Point the path to where you would like the backup files to be saved (I created a folder on my desktop to collect the files). Then use your laptop username and password. When you save the backup device it will test connectivity before declaring a successful save.

Next you will go into Backup > Manual and start a manual backup of all available services. You will select the services by checking the box beside each one. In Unity Connection you may receive popups concerning dependencies. This will be ok since you will be selecting all services to back up.

Once I verified the backups (Backup > History) were successful I loaded them to Dropbox and shared them out to my client. Too easy!

Conclusion:

This is a short post but the process definitely came through in a pinch so I wanted to get it documented. Luckily I was at a location with high enough bandwidth that the entire procedure was not TOO painful. I was able to help the client in their time of need and provide the level of service they are accustomed to receiving. That being said I will be setting up a full time SFTP server in the DMZ⁵ at the office to handle these issues in the future. If you have any questions or suggestions feel free to comment below! Thanks!

I had a new client contact me requesting that I investigate a call that came in over the weekend where an external customer was able to leave a voicemail on an internal users extension, using the corporate IVR, instead of being routed to the weekend service. This behavior was unacceptable and caused much concern throughout the leadership. The client provided me the internal extension where the voicemail was left and a timeframe. Since I was relatively new to the system I was excited to get my hands dirty and really investigate the routing. As all voice engineers know, coming into a system someone else built can always be an adventure…

The Investigation:

The system in question is a Cisco CUCM¹ and CUC² 9.0 with SCCP³ trunking. Since this client is closed on the weekends I thought the best place to start would be by looking at the weekend CDRs⁴ from the time frame provided to see if anything stood out. I pulled the records and noticed that some calls were being translated directly to a certain extension although the client only had a small set of DIDs mapped to internal extensions. I stepped into the translation patterns and found that there were many DIDs being translated to the single extension I had noticed in the CDRs. I found this extension was a CTI⁵ Route Point and was forwarded to voicemail. Upon accessing the voicemail system I first went into forwarded routing rules and located the CTI Route Point extension I had collected from the CDRs. It was forwarded to a company standard IVR call handler with no schedule! This definitely looked like our culprit. I compiled a list of the DIDs using this extension and forwarded the list to my client. The client replied saying these extensions were from their pre-Cisco “legacy” days and were used for all hour access to the system but were not published to the public. Apparently someone on the outside of the organization had found or been giving one of these numbers. The question was…which one?

Translation Patterns, CDR Analysis, and The Solution:

To cut to the chase…translation patterns do not show up in CDR records. It is sad but true. You will see the Calling No. field as the external caller’s phone number and the Called No. as the called number AFTER translation. So, since all of these legacy DIDs were translating to a single internal extension I was unable to say with certainty exactly which DID was being used. To solve this problem I changed the translation patterns for these DIDs into CTI Route Points. CTI Route Points do produce CDRs unlike the translation patterns. I then forwarded these CTI Route Patterns to voicemail. I created a new voicemail profile for masking these numbers with some arbitrary mask (99999XXXXXXXXXX for example) so I can setup a forwarded routing rule within Unity Connection to catch this mask and hand the call off to the call handler. This way we will see the DID used in all of the CDRs from now on. The solutions was tested and the CDRs were checked and everything looks great! Has anyone else done this a different way or recommend a different approach?

THANKS!

First I would like to thank David over at protocol41. His entry had a quick blurb concerning Unity Connection order of operations that I needed to verify to make sure I was thinking straight! A few other links I used were DID configuration from Cisco. I was just investigating the Cisco “best practice” for DID configuration. I also used the Unity Connection Administration Guide which is always a ton of info.

I was approached by a client who wanted me to build their multi tenant network for a small office building. During the initial meeting it came out that they already had equipment and would like to use this equipment without purchasing much more. This is what I had to work with:

• 1 x Cisco X8XX Series ISR¹
• 6 x Cisco 2960X Switches

The client also has an existing Cisco Unified Communications System that they will be configuring to provide voice services to all of the tenants. There will be no LAN-to-LAN communications between the tenants. There will be a reasonable amount of commercial grade Internet access and the tenants will be allowed to host some services locally (e-mail, collaboration software, etc.).

My Proposed Solution:

Since the switches are strictly layer two devices and there will be zero tenant-to-tenant communications at the LAN level I proposed a VRF² solution utilizing the ISR as a router-on-a-stick. There will be a VRF for each tenant, a VRF for the voice service, a VRF for the WAN/Internet circuit. This will allow for strict separation of tenants while still allowing the sharing of voice and Internet services. Each VRF will reside in a VLAN that will be trounced to the stack of switches via a port-channel. I will leave the management VLAN in the global routing table.

The Proof of Concept:

Diagrams:

Here is a small, basic, diagram of what we will be building:

Here is how we broke down the VLANs/VRFs for the PoC³ lab:

VRF/VLAN Breakdown:

Remember: VRFs are case sensitive!

Switch Configuration Overview:

We will begin with the switches since they are the most basic. The switches will be stacked and the VLANs will be configured for each tenant, voice, and management. Since the switches are strictly layer 2 they will not be concerned with any of the VRF specific information.

Router Configuration Overview:

The router is where the real work takes place. The router we are using in the lab is a Cisco 2821 running IOS 15.1.4M7 Advanced Enterprise Services.

VRF Configuration

The first thing we did was configure the VRFs individually:

ip vrf WAN
 rd 65000:99
!
ip vrf red
 rd 65000:1
!
ip vrf blue
 rd 65000:2
!
ip vrf green
 rd 65000:3
!
ip vrf voice
 rd 65000:111

I like to match the RD ⁴ to the BGP ASN ⁵ and VLAN number whenever possible. As we begin importing an exporting routing to/from MP-BGP⁶ it will definitely help you keep things straight! In this scenario we are using an private ASN since we are not performing any external peering.

MP-BGP Configuration

Now that we have our VRFs setup I like to go ahead and configure MP-BGP. This can also be done after you configure all of your VLANs. MP-BGP is used in the scenario only for leaking routes between VRFs. Since each VRF is its own virtual router you have to have a mechanism to allow them to share, or “leak”, routes between virtual routers. MP-BGP is that mechanism and is MUCH easier than it sounds! See configuration below:

router bgp 65000
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf WAN
  redistribute connected
 exit-address-family
!
 address-family ipv4 vrf red
  redistribute connected
 exit-address-family
 !
 address-family ipv4 vrf blue
  redistribute connected
 exit-address-family
 !
 address-family ipv4 vrf green
  redistribute connected
 exit-address-family
!
 address-family ipv4 vrf voice
  redistribute connected
 exit-address-family

Now that we have MP-BGP configured we will set the export and import statements within the VRFs. When thinking of import and export statements I always like to imagine I am standing on top of the VRF looking at MP-BGP. When I export from my VRF I am sending it to MP-BGP and when I import into my VRF I am importing from MP-BGP. Below is the configuration from the lab:

ip vrf WAN
 rd 65000:99
 route-target export 65000:99
 route-target import 65000:1
 route-target import 65000:2
 route-target import 65000:3
!
ip vrf blue
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:99
 route-target import 65000:111
!
ip vrf red
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:99
 route-target import 65000:111
!
ip vrf green
 rd 65000:3
 route-target export 65000:3
 route-target import 65000:99
 route-target import 65000:111
!
ip vrf voice
 rd 65000:111
 route-target export 65000:111
 route-target import 65000:1
 route-target import 65000:2
 route-target import 65000:3

Lets take a look at the WAN VRF import/export statements more closely:

ip vrf WAN
 rd 65000:99
 route-target export 65000:99
 route-target import 65000:1
 route-target import 65000:2
 route-target import 65000:3

In this statement you will see that I am exporting 65000:99 to MP-BGP and am importing 65000:1, 65000:2, and 65000:3 from MP-BGP. Those imports are the routes for VRF red, blue, and green respectively. You will also see that under each of those VRFs they are importing 65000:99. That gives them access to the routes in the WAN VRF. You will also notice that we are not importing the voice VRF (65000:111) into the WAN VRF nor are we importing the WAN VRF routes into the voice VRF. This will isolate the voice network from the Internet while still allowing the vice VLAN to be accessed by the tenants.

Port-Channel Configuartion:

Next we will configure the port-channel from the Cisco 2800 to the switch stack. Since we are using a 2821 in the lab we only have access to two ethernet ports. We are using G0/0 for WAN connectivity and we will use G0/1 as one half of the port-channel. This will work fine for a PoC. Below you will find the configuration from the lab:

interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 no keepalive
 channel-group 1
!
interface Port-channel1
 no ip address
!
interface Port-channel1.1
 encapsulation dot1Q 1 native
 ip vrf forwarding red
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.2
 encapsulation dot1Q 2
 ip vrf forwarding blue
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.3
 encapsulation dot1Q 3
 ip vrf forwarding green
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.111
 encapsulation dot1Q 111
 ip vrf forwarding voice
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.999
 encapsulation dot1Q 999
 ip address 10.9.9.1 255.255.255.0
 ip virtual-reassembly in

Remember: Configure the VRF information under the interface FIRST! It will erase all layer 3 information on the interface when configured. This is a very basic setup. First interface G0/1 is added to channel-group 1. Then interface port-channel 1 on configured with no IP address. This is because we are utilizing this router as a router-on-a-stick. That means we must configure the VLANs as sub interfaces of the port-channel. Each of these sub interfaces will be assigned to their respective VRF and dot1q VLAN. These are also configured as “ip nat inside” interfaces as they will be NAT’d through the WAN VRF.

WAN Interface Configuration:

interface GigabitEthernet0/0
 description INTERNET INTERFACE - DO NOT TOUCH!!!
 ip vrf forwarding WAN
 ip address 10.20.30.253 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

The WAN interface configuration is quite straight forward. First we place interface G0/0 into the WAN VRF and then add the IP information.

Default Route and NAT Configuration

Now that all of the interface, VLANs, VRFs, and MP-BGP are configured we are ready to give these tenants access to the Internet. Below is the configuration from the lab:

ip route vrf WAN 0.0.0.0 0.0.0.0 10.20.30.1
ip route vrf blue 0.0.0.0 0.0.0.0 10.20.30.1
ip route vrf green 0.0.0.0 0.0.0.0 10.20.30.1
ip route vrf red 0.0.0.0 0.0.0.0 10.20.30.1
!
ip access-list extended BLUENAT
 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended GREENNAT
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REDNAT
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended WAN
 permit ip any any log
!
ip nat inside source list BLUENAT interface GigabitEthernet0/0 vrf blue overload
ip nat inside source list GREENNAT interface GigabitEthernet0/0 vrf green overload
ip nat inside source list REDNAT interface GigabitEthernet0/0 vrf red overload

First you will see the default routes for each VRF. This is a straightforward configuration that tells each VLAN how to leave the network. The voice VLAN is not given a default route as it is not allowed access outside and does not know about the WAN VRF. Next we configured extended access lists for each VRF and called out the IP address space. Afterward we configured the NAT overload statements for each VRF. This configuration is pretty standard if you are familiar with traditional NAT configuration.

Static NAT for Outside Access

We also had to configure static NAT to allow people on the Internet the ability to access services internal to each tenant. Below is the configuration from the lab:

ip nat inside source static tcp 192.168.1.1 443 10.20.30.253 80 vrf green extendable
ip nat inside source static tcp 192.168.1.1 443 10.20.30.253 443 vrf red extendable

We used these static NAT statements to show that the system is capable of NAT’ing to the same IP in different VRFs. As you will see in the output below this works without issue:

2821#sh ip nat translations  verbose 
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.20.30.253:80    192.168.1.1:443    10.20.30.102:62834 10.20.30.102:62834
    create 00:00:34, use 00:00:33 timeout:86400000, left 00:00:26, 
    flags: 
extended, timing-out, use_count: 0, VRF : green, entry-id: 10, lc_entries: 0
tcp 10.20.30.253:80    192.168.1.1:443    10.20.30.102:62835 10.20.30.102:62835
    create 00:00:33, use 00:00:32 timeout:86400000, left 00:00:27, 
    flags: 
extended, timing-out, use_count: 0, VRF : green, entry-id: 11, lc_entries: 0
tcp 10.20.30.253:80    192.168.1.1:443    ---                ---
    create 00:00:42, use 00:00:33 timeout:0, 
    flags: 
static, extended, extendable, use_count: 2, VRF : green, entry-id: 7, lc_entries: 0
tcp 10.20.30.253:443   192.168.1.1:443    10.20.30.102:62826 10.20.30.102:62826
    create 00:00:38, use 00:00:37 timeout:86400000, left 00:00:22, 
    flags: 
extended, timing-out, use_count: 0, VRF : red, entry-id: 8, lc_entries: 0
tcp 10.20.30.253:443   192.168.1.1:443    10.20.30.102:62827 10.20.30.102:62827
    create 00:00:38, use 00:00:37 timeout:86400000, left 00:00:22, 
    flags: 
extended, timing-out, use_count: 0, VRF : red, entry-id: 9, lc_entries: 0
tcp 10.20.30.253:443   192.168.1.1:443    ---                ---
    create 00:02:42, use 00:00:38 timeout:0, 
Pro Inside global      Inside local       Outside local      Outside global
    flags: 
static, extended, extendable, use_count: 2, VRF : red, entry-id: 4, lc_entries: 0

One issue I did run into, and I am still investing, is that remote access to the WAN interface though both SSH and Telnet stopped working once we configured the static NAT statements. We removed the statements and instantly things began working again. To work around this we configured a loopback interface and NAT’d port 22. This allowed external access once again. Below is the configuration form the lab:

interface Loopback0
 ip vrf forwarding WAN
 ip address 10.255.255.255 255.255.255.255
!
ip nat inside source static tcp 10.255.255.255 22 10.20.30.253 22 vrf WAN extendable

We placed the loopback in the WAN VRF to isolate it as a WAN service.

Conclusion

Although I ran into a few roadblocks along the way I was able to get all of the services the client requested working on the equipment they provided. IF anyone sees any issue with the above configurations or would like more information feel free to comment below.

THANKS!

First I would like to that Greg Ferro whose book Arse First Method of Technical Blogging really got me motivated to start writing. I had been keeping lists of ideas for quite some time but his book really helped me put a plan together to get started! I would also like to thank Paul Stewart for his great blog at PacketU, Marko Milivojevic for his great VRF Route Leaking explanation at IPExpert and Jeremy Stretch for his excellent VRF blogs over at PacketLife.